From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 20939 invoked by alias); 28 Sep 2016 10:42:41 -0000 Mailing-List: contact zsh-workers-help@zsh.org; run by ezmlm Precedence: bulk X-No-Archive: yes List-Id: Zsh Workers List List-Post: List-Help: X-Seq: 39474 Received: (qmail 21033 invoked from network); 28 Sep 2016 10:42:41 -0000 X-Qmail-Scanner-Diagnostics: from zucker.schokokeks.org by f.primenet.com.au (envelope-from , uid 7791) with qmail-scanner-2.11 (clamdscan: 0.99.2/21882. spamassassin: 3.4.1. Clear:RC:0(178.63.68.96):SA:0(-0.0/5.0):. Processed in 0.539886 secs); 28 Sep 2016 10:42:41 -0000 X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on f.primenet.com.au X-Spam-Level: X-Spam-Status: No, score=-0.0 required=5.0 tests=SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.1 X-Envelope-From: simon@ruderich.org X-Qmail-Scanner-Mime-Attachments: |signature.asc| X-Qmail-Scanner-Zip-Files: | Received-SPF: pass (ns1.primenet.com.au: SPF record at ruderich.org designates 178.63.68.96 as permitted sender) Date: Wed, 28 Sep 2016 12:37:32 +0200 From: Simon Ruderich To: zsh-workers@zsh.org Subject: Re: BUG: crafting SHELLOPTS and PS4 allows to run arbitrary programs in setuid binaries using system Message-ID: <20160928103706.elmurtrr4pc5e2kw@ruderich.org> References: <20160927075347.GA500@fujitsu.shahaf.local2> <20160927100221.7d4f744f@pwslap01u.europe.root.pri> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="=_zucker.schokokeks.org-10484-1475059053-0001-2" Content-Disposition: inline In-Reply-To: <20160927100221.7d4f744f@pwslap01u.europe.root.pri> User-Agent: NeoMutt/20160916 (1.7.0) --=_zucker.schokokeks.org-10484-1475059053-0001-2 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Sep 27, 2016 at 10:02:21AM +0100, Peter Stephenson wrote: > I've attempted to tidy up the logic to the point where I think I > understand it. Does the test "(!getuid() || !geteuid())" make sense or > should that be something else? I don't see a reason why zsh running as root shouldn't import these variables. Only when running in a setuid context possible security issues arise (ignoring the fact that any setuid program calling a shell is broken anyway because we will always miss some env-variable which can be abused). I think the test should be changed to getuid() !=3D geteuid() or similar to trigger only in setuid cases. Regards Simon --=20 + privacy is necessary + using gnupg http://gnupg.org + public key id: 0x92FEFDB7E44C32F9 --=_zucker.schokokeks.org-10484-1475059053-0001-2 Content-Type: application/pgp-signature; name="signature.asc" Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJX651rAAoJEJL+/bfkTDL5+rYP/R8DBRnHIZnQnzMgnID1y6HU OM1DXCDv2x98xePPVTFOa5EFGMqCZGAG4IJ/PYHjAkYm9ybnd0JtaxlpC1jKKhsD p4OBbNrgqpu5C4mWhqBbBi0n+w5QVV0Fk4iaePXOxyppG9LB5MOlLn9iTwSgeASO ++gna9Ed7gtg05pZeaMosrvxxnacWQsLupdUpsxczwVgHz1cwJi8YzSxDUhozaKT MV4IdEKpj64xojojZyl3kcqIB+8Hk8GXJzfcDzdWjaBT8bBz7qA9VPJwA9lWxyOu lYntffttPTPwl9O86EuwWtyO2wAF3x45hQ83OY/RPTIBL6u6Itpwtb+KELfmm5jH ZFDGHDN9TcCyEQulubcC3voxC8YhjV6CWxIW5LmYe2h4YdSEQxHAnYvl9QjRJiyF 18plmBbMD44qTp+D/IQeLirhZwnBkR7w4HOQs1ou3UXQd/UH8gUlbhMljzcAjkuZ weW0SOg9oWOvBy/72bV7QPe0e2beAqZe8j8VC6cyT3zBndBbRNHCLfRwboz7Q6u9 nsoZQ3q2raTg2koiZNFOzX0httdS0w+fEfoVnbVOyqQHWMyuEjnFWMt9BX1JxypO E5waAWR9fFZ1lBaX6vjhTwrr7+tgooZGl5dmUf9rWK4mnfc/4+DoQaEYy3Se7cUv Zi8DOF8zoGz969k9kXJD =gwxr -----END PGP SIGNATURE----- --=_zucker.schokokeks.org-10484-1475059053-0001-2--